Cyber Incident Victim: My Freedom Smokes

Malicious code was identified on the My Freedom Smokes website on March 16, 2015, during routine monitoring. The encrypted malware had been present since at least February 11, 2015, indicating a potential exposure window of over one month. Attackers leveraged this code to harvest customer data submitted during online purchases, including names, physical addresses, email addresses, telephone numbers, credit card numbers, expiration dates, and card verification values (CVV). The compromised information represented the complete dataset required to process orders through the electronic cigarette retailer's platform. While the company asserted it only stored partial payment card numbers and did not retain CVV data on its infrastructure, the breach notification explicitly listed CVV codes as potentially exposed, creating ambiguity regarding storage practices during the incident period.

Upon detecting the malware, administrators immediately removed the unauthorized code and initiated security enhancements with assistance from a third-party cybersecurity firm. My Freedom Smokes modified its online order processing system despite previously employing encrypted communications between customers and its payment gateway, which remained encrypted throughout the breach. Customers reported unauthorized transactions on their payment cards during the exposure timeframe, though the company acknowledged difficulty conclusively linking these fraudulent charges to its breach versus other potential compromises. Unlike many data breach responses, My Freedom Smokes declined to provide complimentary identity protection services, instead distributing guidelines for monitoring financial accounts and identifying suspicious transactions. The retailer focused remediation efforts on infrastructure hardening without disclosing specific technical vulnerabilities exploited or attacker attribution.